Enabling configuration on whether to display container logs in the UI or not

[reggie-k]

In my org, there are cases when users that are allowed to log in to ArgoCD UI, are not allowed to see container logs.
This is a security requirement, since the logs potentially contain sensitive business data. For my org, this is so crucial that it might block accessing ArgoCD UI or even using ArgoCD in production at all.

It would be beneficial to approach this issue, I see a couple of levels this might be implemented in:

• A boolean approach - either show the logs in the UI or don't, based on a parameter in the ArgoCD param configmap.

• An RBAC approach - to treat the "logs" as something like the "application" in terms of permissions, and to enable defining the permissions to allow or forbid viewing logs on the project (treating the logs as a sub resource of a project, similar to application)

  Something like the following project policy:
  - p, proj:my-project:log-viewer, logs, get, my-project/*, allow

Two options here to hide the logs:

• Don't display the "logs" tab at all
• Display the "logs" tab, but don't show any content there, and disable the log-related buttons in the view - a smaller UI change, perhaps.

Not sure how to address the cli restriction on logs yet.

I might be able to raise a PR for the simplest scenario: a boolean approach + one of the UI changes.
I am sure that more orgs will require this at some point in time, for us this is considered significant feature, the question is how valuable is this to ArgoCD release managers? Will the PR be approved?

[jannfis]

I like the idea of restricting access to logs. Since logs are fetched using the Argo CD API, I think introducing a new resource type for RBAC would be rather easy and the right way to go for restricting access to pod logs. Reflecting that restriction in the UI (e.g. don't show the log tabs for pods in applications that user has no log access for) would be another challenge, but also doable I think.

[reggie-k]

The enhancement issue for this:
#7211